Hashicorp Vault

During development it is common to save local connection string in the code via setting files. But when it comes the time to deploy, hosted environments should not have their secrets persisted as plain text in the code.
Since those can’t be saved in the git repository, they have to be stored in a secure place where they can be managed easily, a vault. Hashicorp Vault is one of this software which allows us to store and retrieve secrets while providing a granular level of control over the secret accesses. Today we will see the basic configuration of Hashicorp Vault to store and retrieve secrets using the Vault CLI.

Start Vault

Save secrets

Create a role with a policy

Retrieve secrets

1. Start Vault

1.1 Configure Vault

Head to https://www.vaultproject.io/downloads.html and download the latest binaries of Vault then place it in a folder and add the folder to PATH.

Before starting Vault we need to create a configuration, copy the following in config.hcl:

The first time Vault is initilized, it generates secret keys, here a single one since we set the key-shares and key-threshold to one and a root token.
The secret keys need to be kept securely. They are used to reconstruct the master key and execute operation like unsealing the vault or generating another root token.

The root token is a token provided for the first Vault user to bootstrap the configuration. The root token has all access therefore it is recommended to revoke it once the configuration is done. If need be another root token can be generated using the secret keys.

1.3 Unseal vault and login

When the vault starts it is sealed. To unseal it we need the key.

vault operator unseal
Unseal Key (will be hidden):

Next once we unsealed the vault, we can login:

vault login
Token (will be hidden):

We should now be logged in as root user.

2. Save secrets

Next we can start to add secret like so:

vault write secret/myapp some_secret=123

As you can see Vault works like a filesystem with paths. We are able to read/write secrets on a particular path.

Here -f is used to force to generate the value without content posted.

Providing the role Id and the secret Id to the application provides a safeguard as no one will be handling the secrets apart from the application.

Another advantage is that the secret Id lifecycle is controlled by the role.

4. Retrieve secrets

So far we have a configured a role, retrieved the role Id and secret Id.
In an application we need to retrieve the secrets which we defined in 2) to use them.
To do that we start by authenticating using the role Id and secret Id.

In an application scenario, we would be authenticating from within the application and using the token to configure our database connection settings for example.

Conclusion

Today we saw how we could manage application secrets with Hashicorp Vault by setting up approle, an authentication designed for application to login and retrieve their secrets. Hope you liked this post. See you next time!